Benchmarking the scalability of model-checker-based detection of timing anomalies

Description de l'unité

The French Alternative Energies and Atomic Energy Commission (CEA) is a key player in research, development and innovation in four main areas: defense and security, nuclear and renewable energies, technological research for industry, fundamental research in the physical sciences and life sciences. Drawing on its widely acknowledged expertise, the CEA actively participates in collaborative projects with a large number of academic and industrial partners. One of three institutes that comprise CEA Tech, the List institute is committed to technological innovation in digital systems. Within the DSCIN department of CEA List, the LECA laboratory invests R&D efforts in the analysis and verification of timing properties of embedded systems.

Safety-critical systems such as autonomous vehicles and modern avionic computers have to satisfy strong timing requirements. A failure to meet a timing constraint, missing a deadline for example, may result in serious malfunctions. Therefore, it is crucial to compute safe timing bounds for these systems.

Worst-Case Execution Time (WCET) analyses compute sound and (desirably) tight worst-case execution bounds, exploring, via convenient abstractions, all the execution paths of a program running on a computer architecture. This process is complicated by the presence of Timing Anomalies (TA) [1], a counterintuitive behavior in the sense that the local worst-case timing behavior, typically due to a cache miss, does not result in the global worst-case performance. TAs thus require an exhaustive exploration of the reachable hardware states, which is costly or often even prohibitive.

The LECA laboratory has developed a framework to detect TAs [2, 3] within programs, that is based on a formal model of a representative Out-of-Order (OoO) pipeline of processors described using the TLA+ high-level language [4]. The output of the gem5 simulator is used to generate program specifications from input C source codes, and local timing variations are generated using heuristics targeting the latencies of memory instructions. Finally, TA is expressed as an hyper-property in TLA+ and formally verified with the TLC model-checker over a combined formal model of the pipeline and a program.

A first goal of this internship is to evaluate the scalability of this workflow, in particular for identifying the lifetime of TAs but also their patterns. It requires to represent in the formal specification of programs the notion of basic blocks, the atomic analysis unit in static WCET analyses. This will enable to study whether TAs can propagate across several basic blocks and help to capture the limits of the workflow. These evaluations will be performed on an higher number of source codes from the TACLe benchmarks than currently supported. Another goal of this internship is then to study how the scalability of this workflow can be optimized by either using the output of WCET cache analyses to narrow the set of latency variations, vary the verification instant for the detection of TAs or by using different model-checkers, such as the Apalache symbolic model-checker for TLA+ [5].

Computer engineering student (final year) or master 2 student with knowledge in computer architecture, and formal methods, in particular model checking. Communication and writing skills, teamwork motivation and eager to learn.

In line with CEA's commitment to integrating people with disabilities, this job is open to all.

